Analysis
-
max time kernel
30s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-06-2021 23:44
Static task
static1
Behavioral task
behavioral1
Sample
docs,06.21.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
docs,06.21.doc
Resource
win10v20210410
General
-
Target
docs,06.21.doc
-
Size
50KB
-
MD5
a75fa282ba05937f43c4425e548f1d5c
-
SHA1
565ca43482c76d02eb4f5e55deb2af53dfa3b8db
-
SHA256
266d88e6796be43f470e11e7da3fb0f63127dc747513d297c50d75148b353602
-
SHA512
6343c053c5cca9f6e4b9e4b157c19aba9c47cc1722e4b8a158009cce7c7a8cb88dc3cbb95581888c76fd708c1d8c212dca1a5dc9a393594957fb7f6602c119f5
Malware Config
Extracted
gozi_ifsb
6000
gtr.antoinfer.com
app.bighomegl.at
-
build
250204
-
exe_type
loader
-
server_id
580
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1232 792 cmd.exe WINWORD.EXE -
Blocklisted process makes network request 1 IoCs
Processes:
mshta.exeflow pid process 6 1300 mshta.exe -
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1780 regsvr32.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEmshta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 792 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
WINWORD.EXEpid process 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE 792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WINWORD.EXEcmd.exemshta.exedescription pid process target process PID 792 wrote to memory of 1232 792 WINWORD.EXE cmd.exe PID 792 wrote to memory of 1232 792 WINWORD.EXE cmd.exe PID 792 wrote to memory of 1232 792 WINWORD.EXE cmd.exe PID 792 wrote to memory of 1232 792 WINWORD.EXE cmd.exe PID 1232 wrote to memory of 1300 1232 cmd.exe mshta.exe PID 1232 wrote to memory of 1300 1232 cmd.exe mshta.exe PID 1232 wrote to memory of 1300 1232 cmd.exe mshta.exe PID 1232 wrote to memory of 1300 1232 cmd.exe mshta.exe PID 792 wrote to memory of 1188 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1188 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1188 792 WINWORD.EXE splwow64.exe PID 792 wrote to memory of 1188 792 WINWORD.EXE splwow64.exe PID 1300 wrote to memory of 1780 1300 mshta.exe regsvr32.exe PID 1300 wrote to memory of 1780 1300 mshta.exe regsvr32.exe PID 1300 wrote to memory of 1780 1300 mshta.exe regsvr32.exe PID 1300 wrote to memory of 1780 1300 mshta.exe regsvr32.exe PID 1300 wrote to memory of 1780 1300 mshta.exe regsvr32.exe PID 1300 wrote to memory of 1780 1300 mshta.exe regsvr32.exe PID 1300 wrote to memory of 1780 1300 mshta.exe regsvr32.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docs,06.21.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\\users\\public\\buttListboxSngl.hta2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\buttListboxSngl.hta"3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\buttListboxSngl.jpg4⤵
- Loads dropped DLL
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\users\public\buttListboxSngl.htaMD5
aa68b2d92b79feae09dcb76d34ac9fb7
SHA18ead6aa56c4426d4fe5f7d415d927379a116c03d
SHA2567a8ba83948952fb9fdc6237adf609e8e3f1caf2dbce6ca6e6b5ae4aca0d04a20
SHA512a09cf9694aee32013a3ee6718d30168f6ee2fb407a7396fece6388009de9608391725d4e590f1f659fcfcd7830cb644310cae4463127772fa5d00ed8f7fbc793
-
\??\c:\users\public\buttListboxSngl.jpgMD5
f898faedc2fd455398a9efdebf1ce335
SHA1781b649cff1e06c3ce2a8c64eccbe47bd8f126fa
SHA256cc43bb886726bc8101659ba26f0eeda8f540dc81eb8ef7e8366b2c04e5b3a495
SHA5126d19028134ccc5e40cecc40009cd33cdedcc7a2c6d3feb33e089a6197176fb7022e38b8d04296ecfc89c7270f2b13ead8bb226196d59ea6abe63bb78583f28b4
-
\Users\Public\buttListboxSngl.jpgMD5
f898faedc2fd455398a9efdebf1ce335
SHA1781b649cff1e06c3ce2a8c64eccbe47bd8f126fa
SHA256cc43bb886726bc8101659ba26f0eeda8f540dc81eb8ef7e8366b2c04e5b3a495
SHA5126d19028134ccc5e40cecc40009cd33cdedcc7a2c6d3feb33e089a6197176fb7022e38b8d04296ecfc89c7270f2b13ead8bb226196d59ea6abe63bb78583f28b4
-
memory/792-61-0x000000006FAF1000-0x000000006FAF3000-memory.dmpFilesize
8KB
-
memory/792-62-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/792-75-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/792-60-0x0000000072071000-0x0000000072074000-memory.dmpFilesize
12KB
-
memory/1188-67-0x0000000000000000-mapping.dmp
-
memory/1188-68-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/1232-64-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1232-63-0x0000000000000000-mapping.dmp
-
memory/1300-66-0x0000000000000000-mapping.dmp
-
memory/1780-69-0x0000000000000000-mapping.dmp
-
memory/1780-73-0x000000006A910000-0x000000006A91D000-memory.dmpFilesize
52KB
-
memory/1780-74-0x000000006A910000-0x000000006AA40000-memory.dmpFilesize
1.2MB
-
memory/1780-76-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB